CVE-2009-2493

HIGH EXPLOITED

Microsoft Visual Studio <2008 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2009-2493 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The Active Template Library (ATL) in Microsoft Visual Studio .NET 2003 SP1, Visual Studio 2005 SP1 and 2008 Gold and SP1, and Visual C++ 2005 SP1 and 2008 Gold and SP1; and Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2; does not properly restrict use of OleLoadFromStream in instantiating objects from data streams, which allows remote attackers to execute arbitrary code via a crafted HTML document with an ATL (1) component or (2) control, related to ATL headers and bypassing security policies, aka "ATL COM Initialization Vulnerability."

References (36)

Core 36
Core References
Patch, Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-11.html
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-266108-1
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6304
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2034
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-223A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6621
Third Party Advisory x_refsource_confirm
http://www.openoffice.org/security/cves/CVE-2009-2493.html
Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-13.html
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-286A.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0366
Third Party Advisory vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=126592505426855&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36187
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-342A.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/2232
Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/bulletins/apsb09-10.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36374
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38568
Patch, Third Party Advisory x_refsource_confirm
http://www.adobe.com/support/security/advisories/apsa09-04.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6245
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6716
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36746
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6421
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/41818
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35967
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020775.1-1
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA09-195A.html
Broken Link vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-66-264648-1
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6473

Scores

CVSS v3 8.8
EPSS 0.4339
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

VulnCheck KEV 2009-11-04
CWE
CWE-264 CWE-94
Status published
Products (10)
microsoft/visual_c\+\+ 2005 sp1
microsoft/visual_c\+\+ 2008 (2 CPE variants)
microsoft/visual_studio 2003 sp1
microsoft/visual_studio 2005 sp1
microsoft/visual_studio 2008 (2 CPE variants)
microsoft/windows_2000
microsoft/windows_2003_server
microsoft/windows_server_2008 (2 CPE variants)
microsoft/windows_vista (3 CPE variants)
microsoft/windows_xp (2 CPE variants)
Published Jul 29, 2009
Tracked Since Feb 18, 2026